Article summary from the Cyber Threat Intelligence Handbook, compiled in collaboration between Cyberwatch Finland and DNV Cyber. The summary was published in Cyberwatch Finland Magazine 01/2026. The handbook will be published on 26th of May 2026 in both Finnish and English and will be freely available to everyone. The digital version will be published on both Cyberwatch Finland’s own website and DNV Cyber’s website.
Introduction
Cyber threats are constantly changing and evolving, and organisations are increasingly being required to absorb and make use of information concerning cyber threats. This is emphasised not only in current practical needs but also in legislative requirements. Whilst the EU’s Network and Information Security Directive NIS2 (EU2022/2555) and its nationally applicable versions (the Cybersecurity Act, the Act on Information Management in Public Administration, and the Act on Electronic Communications Services) do not directly oblige organisations to acquire or make use of cyber threat intelligence, they do require the assessment and management of cyber threats, the development of an organisational cyber risk management model on this basis, and the reporting of significant incidents to the supervisory authority. With the new Cybersecurity Act, company management now bears greater obligations than ever before, and the new requirements place increased emphasis on the personal responsibility of senior personnel for the implementation — and failure to do so — of risk management measures. It is almost impossible to implement cyber risk management measures without real-time threat intelligence, because visibility of the threat landscape then becomes severely limited and unrealistic. The more comprehensive an organisation’s cyber threat intelligence is, the more time it has to prepare.
In the modern information society, every organisation must prepare for cyber threats — either directly or indirectly. A cyber threat is a potential situation, event, or action that may damage or disrupt communications networks and information systems, users of such systems, and other actors. Far too often, the level of preparedness within organisations is not sufficient to treat the materialisation of a cyber threat with the seriousness it warrants. Reactive rather than proactive approaches continue to dominate, with measures taken only after a cyber threat has occurred, reputational damage has already been sustained, and the authorities have taken an interest. Meaningful and timely threat intelligence seeks to bring predictability and efficiency to measures taken, whilst minimising the cost of damage. Cyber threat intelligence aims to bring both time and background information to decision-making. For threat intelligence to be of benefit to an organisation, its leadership must also have sufficient capacity to make decisions based upon it in order to steer the organisation in the right direction. Cyber threat intelligence is a prerequisite for increasingly sophisticated and precise data-driven leadership when planning and implementing cyber protection.
Levels of Cyber Threat Intelligence
Cyber threat intelligence refers to information acquired from or relating to the operating environment, concerning which threats are most probable and how to guard against them. In practice, it is information that guides an organisation’s decisions regarding cybersecurity investments, operating models, or technical solutions. Cyber threat intelligence, and the process of producing it, closely resembles the intelligence cycle. The traditional intelligence cycle is a continuous, phased model for collecting, analysing, and delivering information to support decision-making. It is important for organisations — and especially senior management — to understand the different types of threat intelligence that are available. Cyber threat intelligence is often divided into three levels to aid comprehension: strategic, operational, and technical (sometimes also tactical) threat intelligence.
Developing and Evaluating the Threat Process
The most important criterion that can be set for threat intelligence is its actionability. This means that the threat intelligence an organisation produces or acquires is, by its nature and content, such that it addresses needs, leads to direct action, or confirms the validity of measures already taken. Every organisation has its own resources and objectives, which determine the scope of the threat intelligence process it pursues and the extent to which in-house activity and the use of partners takes place. Growing an organisation’s cyber maturity is a process by which it moves from ad hoc security towards a systematic, risk-based, and proactive approach that brings together people, processes, and technology.
The quality of the cyber threat intelligence process can be assessed through cyber maturity. The maturity level indicates the extent of an organisation’s cyber capability to protect itself from cyber threats and ensure business continuity in the event of disruption. Cyber maturity grows as working practices and processes are developed in response to feedback and the evolving cyber environment. Measuring one’s own maturity level may be necessary when selecting suppliers and other partners. In the case of subcontractors, it is useful to assess their technological capabilities — that is, which systems they use and what data sources they have access to. The cyber threat intelligence process is almost always based on information sharing and collaboration. It is so broad and multifaceted in nature that even the best-resourced organisations would be unwise to attempt to do everything themselves; securing the right partners is an important part of a successful process. Partnerships may take the form of peer-to-peer information-sharing networks or subcontractor and supplier relationships through which information or expertise is acquired. The best partnership is one in which both parties are able to give and receive information, enabling mutual growth and development.
The Cyber Threat Intelligence Process
The cyber threat intelligence process (CTI process) in this handbook is divided into the phases of direction, collection, analysis, and dissemination. The aim of the cyber threat intelligence process is to produce additional time for decision-making and to shift from reactive behaviour to a proactive, anticipatory one. Through a cyclical threat intelligence process, it is possible to develop and guide management’s capacity to understand cyber threat intelligence. It encompasses all stages from the initial plan through to the collection and utilisation of information, as well as the implementation of improvements identified during the process in preparation for the next collection cycle. During the process, raw data is shaped into information and ultimately into knowledge that supports or guides decision-making. In practice, each stage of the cycle operates simultaneously alongside the others, and several CTI processes may be running concurrently.
Cyberthreatcircle’s singular process
Guidance
The guidance phase of the CTI process is often the most critical for the process’s success. In this phase, management defines the process objectives, resources, and mandate for achieving those objectives. Without carefully executed direction, it is likely that resources will be wasted on collecting or processing the wrong type of information, or that not all available and necessary information will be collected or utilised. It is the responsibility of management, through well-executed direction, to protect the organisation’s IT assets from various threat actors, as even a single oversight can lead to a significant security incident. In simplified terms, the guidance phase concerns the planning of threat intelligence collection and utilisation, as well as the preparation for the practical implementation of those plans. The CTI process is ultimately a matter of investment in security — such as the protection of IT assets — and if a return on that investment is desired, it ought to be planned and prepared with care.
Collection and Processing
The phase following guidance is collection and processing. Collection refers to the acquisition of information at various stages of processing (whether raw data or pre-analysed intelligence) in accordance with the plans made in the preceding phase. Processing refers to the conversion of collected information into unified, actionable, and contextual threat information for subsequent analysis and use. In other words, in order for information to be utilised, it must first be found and collected. Only once this collected information has been refined does it become usable. When launching a new cyber threat intelligence process, there is a common tendency during the collection phase to gather as much information as possible from as many different sources as possible. Whilst an abundance of information is sometimes beneficial, this approach can easily lead to a situation where there is too much input and security teams become paralysed by spurious alerts and a mass of data requiring manual review. During the collection phase, it is therefore important to bear in mind the needs defined in the preceding phase and to direct activity accordingly. An excess of information can lead to errors just as readily as insufficient collection. Only the most advanced organisations — those with the greatest investment in the cyber threat intelligence process — should attempt to collect all available information.
Analysis
The third phase is analysis. During the analysis phase, the collected raw data is transformed into threat intelligence through the analytical process. Depending on the quality of the data collected, this can be a straightforward exercise or one requiring considerable effort. The aim is to add meaning to the raw data, to combine information from different sources to draw conclusions, and ultimately to produce intelligible information to support decision-making and thus enable concrete action. Of particular importance to the outcome is the clear definition of intelligence requirements and information needs at an early stage of the process. In cyber threat intelligence, analysis may be carried out equally well by a human or a system. Automation and the use of artificial intelligence — particularly in the analysis and processing of technical data — is continually developing, though human analysts continue to play a significant role, especially in strategic-level analysis.
Distribution
The final phase of distribution and utilisation is a prerequisite for the work to be of practical benefit. The most important criterion for what type of threat intelligence an organisation should acquire is its usability. Whether the ultimate recipient of the threat intelligence is a system, an individual, or a department within the organisation, the task of this phase is to ensure that the collected and analysed intelligence reaches its intended destination, and that the recipient knows what they are receiving and what they should do with it. The distribution of cyber threat intelligence concerns both the organisation itself and external partners. The functioning of networks depends on all parties both producing and receiving information; therefore, organisations working with cyber threat intelligence must also be prepared to share the intelligence they have acquired and processed. In particular, there must be complete confidence in the quality of the intelligence being shared, or alternatively, any uncertainty must be expressly communicated. The question to consider is what type of information the organisation is in a position to share and with whom. The criticality of threat intelligence must be determined internally within the organisation, and the various information-sharing networks or partners classified according to what level of information may be shared with whom. The most important task of the distribution and utilisation phase is to ensure that plans are carried out and adjusted as necessary.
Direction of Development
The most important purpose of cyber threat intelligence is to produce time and information for decision-making. The time it provides is intended for the advance identification of and response to threats. This window is continually shrinking, and obtaining early warning is becoming ever more difficult. Threat actors’ operations have accelerated, and the time between the disclosure of new vulnerabilities and their exploitation has shortened. At present, one often speaks of minutes between vulnerability disclosure and attempted exploitation. Technological advancement favours attackers, and artificial intelligence, for example, has already provided significant advantages to those carrying out cyberattacks. As a result of the increasingly intensive cyber influence activity, the need for up-to-date cyber threat intelligence has grown further still. The actions needed to protect an organisation’s most critical assets are required more rapidly than a human being can implement them. In addition to acute, rapidly actionable intelligence, there is a greater need for strategic and operational intelligence as the overall security situation deteriorates and state-sponsored cyber influence activity becomes more prevalent.
The need for cyber threat intelligence affects every organisation, but not in the same way. The resources and needs available to each organisation determine the individual circumstances in which it operates. The process of acquiring and utilising cyber threat intelligence is quite broad and multifaceted. Successfully implementing it requires motivation, resources, and experience. The cyber threat intelligence process must be understood as a continuously active and evolving function. The cycle must keep turning, and feedback must be gathered on the execution of each phase. The most important factor for the continued development of the process is the willingness to develop it. The cyber threat intelligence process should not be seen merely as an obligatory measure, but as a value-adding investment that may save an organisation from a debilitating incident, financial losses, and reputational harm.
Conclusion
The handbook is primarily intended for Finnish critical sector or defence sector actors falling within the scope of the Cybersecurity Act, though its content can equally be applied more broadly, regardless of an organisation’s sector or size. In the handbook, the phases of the CTI process (direction, collection, analysis, and dissemination) are each addressed individually from three distinct perspectives. At the outset of each phase, the handbook covers the responsibilities and actions of organisational management. This is followed by a discussion of operational-level measures and the duties of operational management. Finally, the practical and technical tools available for use at each phase are addressed. The intention is for representatives of each perspective to derive concrete benefit, such that the handbook conveys as comprehensive and cross-cutting an understanding of the entire cyber threat intelligence process as possible.
